NetWeaver 7.4 SR2 Java Basic Configuration

Immediately after installing a NetWeaver Java system there are a handful of basic configuration steps common to most systems, regardless of usage type. For the most part these are well-covered in the installation guide and the online help documentation, as well as various SAP Notes, but here I will summarize the steps and give a few recommendations about options. Examples will be for a Windows/SQL Server platform, but generally you should be able to substitute your own platform.

If you don’t already have a copy of SAPCAR for unpacking archives, you can find it at Support Packages and Patches -> Browse Download Catalog -> Additional Components -> SAPCAR -> SAPCAR 7.20 -> Windows on x64 64bit.

Diagnostics Agent

It’s easy to miss in the guide, but the recommendation is to install the Diagnostics Agent before installing the application server. This is done with the same SWPM tool as for the primary installation, and uses the same kernel archive as a source. After launching SWPM, choose Generic Installation Options -> Diagnostics in SAP Solution Manager -> Install — Diagnostics Agent with 7.41/7.42 Kernel.

One important note is to choose your destination drive carefully, as this will end up being the same destination drive for your AS Java (they both reside under the same \usr\sap folder, in different subfolders). Subsequent installations of SAP components on the same host will default to (and generally be forced to) the same drive as the first installation, so this is when you are making that decision.

NetWeaver Administrator Remote Access

Typically the first step after completing the installation (and getting a backup) is to allow remote access to NetWeaver Administrator (NWA). As you will be using this tool quite a bit for the remainder of the configuration, it makes sense to do this first. By default, access to NWA is restricted to browsers installed on the local host, i.e. the server itself, which is only useful if you intend to constantly use Remote Desktop to the server console. While it certainly makes sense to restrict which workstations or network segments have access to this powerful tool, you will likely want to expand it to beyond just the server console.

From the server console, open Windows Explorer and navigate to \usr\sap\<SID>\SYS\global\security\data. Make a backup copy of the file icm_filter_rules.txt and then edit the file.

First, you will probably want to insert some line breaks to make it more readable, as out-of-the-box it appears to be all on one line. Then insert one or more lines so that the resulting file looks like this:

In the 4th line, substitute the appropriate network segment for “10.x.x.*” to include your administrative workstation.

Restart the system and confirm that you can access NWA via http://<hostname>:50000/nwa to confirm correct configuration.

SAP License

Next up is the SAP License. From NWA, navigate to Configuration -> Infrastructure -> Licenses. Use Change System Type to set the type of system (dev, test, production, etc). Make a note of the hardware key.

In a different browser window, navigate to http://support.sap.com -> Keys, Systems & Installations -> View or request license keys -> Request Key from Install. Select the appropriate Installation Number, click New System, and fill in the appropriate information, including the hardware key. After submitting, you will typically get an email response back from SAP in a matter of minutes with the license in an attached file. Save the file.

Back in NWA, in the Licenses screen, click Install from File and browse to the received file.

System Data in SAP Support Site

At this time you should maintain the Usage Type (i.e., Adobe Document Services, etc), the kernel version and patch, the SAP Router information, and basic details about the DB Server (hostname, IP address, instance numbers (00 and 01), and ‘yes’ to Message Server; don’t worry about OS and DB versions, as they’ll be corrected automatically later). This provides a base to which Solution Manager can later synchronize details.

SPML Access

Later, when you execute Managed System Configuration in Solution Manager, it will be necessary for at least one administrative user to have spml (Service Provisioning Markup Language) access, as described in Note 1647157 (How to Set up Access to the SPML Service on AS Java).

From NWA, navigate to Configuration -> Identity Management. Switch to view Roles, then click Create Role. Give the new role the following attributes:

SSL

Cryptographic Library

The cryptographic library (CommonCryptoLib 8.4) is included with the 7.42 kernel, so there is no need to separately download and install it. You will find it already present at \usr\sap\<SID>\SYS\exe\uc\NTAMD64\sapcrypto.dll.

Ticket File

What is missing, however, is the ‘ticket’ file. You can create your own easily enough, however.

Navigate to \usr\sap\<SID>\J00\sec. Create an empty text file and save it as ticket (no extension). That’s it. Without this, SSL will not function.

SSL Access Point

In NWA navigate to Configuration -> Security -> SSL. Under SAP Java Instances confirm that SSL Status is green. If it’s not, the most likely cause is a missing ticket file (see above). Note at this point it is normal for the Status under SSL Access Points to be red.

Under SSL Java Instances click Edit.

Under SSL Access Points click Add.

Set the Port to 50001 and save. Do not restart at the prompt.

SSL Key Pair

Ensure you have the appropriate CA (Certificate Authority) root certificate available. If not, you can generally download it as an X.509 Certificate (.cer) file from your chosen CA. If there are any other CA root certificates necessary to enable trust of other systems by this system, make them available now, too.

Select Back or Home at the top of the screen and navigate to Configuration -> Security -> Certificates and Keys.

Select the Key Storage View ICM_SSL_xxxxx.

Delete all the default View Entries (SAPPassportCA, ssl-credentials, and ssl-credentials-cert). Note that these are copies of templates found in the service_ssl view, so they can always be recovered.

Click Import Entry.

Entry type: X.509 Certificate

Browse to and import the CA root certificate.

Click Create.

Entry Name: <hostname of this system>

Leave most other fields at default (RSA, 2048 bits, etc).

Select the checkbox for Store Certificate.

For commonName enter the fully-qualified domain name (FQDN) of your system. I.e., javahost.domain.com

Select the new private key you just created and click Generate CSR Request.

Choose the options required by your CA. If this is an internal-only server and you are using your own CA, such as Microsoft Certificate Services, select Base64 PKCS#10 and download the .pem file.

In a new window, navigate to your CA and submit your certificate request using the file you just downloaded. If you are using MS Certificate Services as an internal CA, choose Advanced certificate request and Submit a certificate request by using a base-64… Open the file you downloaded with Notepad and copy the contents into the Saved Request field and submit.

When you have the response from the CA, download it as Base64 encoded certificate chain and save it as hostname.p7b.

Back in NWA, with your private key selected, click Import CSR Response, browse to the p7b file, add it and import it.

Under Key Storage Views, with the ICM_SSL_xxxxx view selected, click Export View to PSE. A restart of the SSL Provider is necessary, but you can wait until after you configure the next section.

SLD Data Supplier Connection

Although you probably configured this during the installation, it’s likely that it didn’t “take” and you’ll need to configure it again now.

Still in NWA, navigate to Configuration -> Infrastructure -> Destinations

Restart System

Logon to your SLD system and confirm successful registration of your new AS Java.

You’re now ready to proceed with Managed System Configuration in Solution Manager, after which you can set up a maintenance transaction to apply the latest Support Package Stack. That, however, is beyond the scope of this blog post.

This has been a quick overview of the basic initial configuration steps common to all AS Java 7.4 systems.

Assigned tags

Related Blog Posts

Related Questions

Nice work. Do you know what release was the Netweaver Administrator Remote Access control first introduced in ?

FWIW, you can define / change the location of the icm_filter_rules.txt via the icm/HTTP/mod_<xx> profile parameter – see ICM Parameters – Reference for ABAP and Java. This allows you to keep the standard file, in the standard location, and have your own one for debugging your rules (which can include other redirection rules as well as the NWA one that Matt describes).

I’m not completely certain. Although the tool exists in 7.0x, it’s not exactly useful in those releases (we still rely heavily on Visual Administrator there), so 7.4 is where I first encountered the filter. I haven’t worked with 7.1 or 7.3. Based upon a reading of Note 1616058, I believe it may have been introduced originally in 7.1, and then probably backported to earlier 7.0x releases with kernel and J2EE patches, but I can’t swear to that. Tomorrow when I’m back in the office I can experiment to see what behavior I encounter in 7.0x.

Good information about expanding on the use of the icm_filter_rules. I should have mentioned in the document that the main Note for this use case is 1451753, but it doesn’t go into tremendous detail. I was mainly focused on helping people get up and running with a basic system and avoid frustration without completely undoing all the safeguards built into the system. Clearly you can set up quite complex scenarios with this.

Good question, Andy! I don’t believe there is any technical restriction against installing the DA after the application server instead of before; it is just a general recommendation per the NetWeaver installation guide. In older versions of SWPM the DA would be automatically installed (or be offered for install) at the end of the application server installation, but beginning with SWPM SP5 this is no longer true. It now must be explicitly chosen in a separate run of SWPM. For this reason, I believe the recommendation to do it first is mainly to ensure that it gets done.

As for why the DA installation is no longer offered in the same step with the application installation, I think that is because SAP is nudging customers towards using agents-on-the-fly instead of explicitly installed agents. I haven’t addressed that here, however, as I don’t yet have a lot of personal experience with agents-on-the-fly, and in the case of non-HA environments the explicitly installed DA is still a little simpler to setup (or at least, that has been my experience; I’ll probably change my mind on this once I start using on-the-fly features more). As this document is addressing basic scenarios, I have not gone into the details of setting up an HA environment.

One other thing I should mention, or rather should have mentioned in the article, is that using the 7.41/7.42 kernel for the DA is only recommended if your Solution Manager system is at least 7.1 SP9. If you are on SP8 or lower, you can use the 7.4x kernel, but there are additional manual steps required to make it work, and thus it would be easier to use a 7.2x kernel for the DA. However, this means you must download two different kernel versions for a NW 7.4 system, which can be a pain. This restriction, and the manual workaround steps, are described in Note 1858920, though admittedly pretty far down in the details in that Note.

If this is an existing system, the license entry on the license generation webpage should already have all that information. Alternatively, you can find the System Number from NetWeaver Administrator: go to Configuration -> Infrastructure -> Licenses. There you should see the information you require to fill in the license request.